Spec-Zone .ru
спецификации, руководства, описания, API
Java

Security enhancements and changes
JavaTM 2 SDK, Standard Edition, v 1.3

Documentation Contents

trustProxy Property Now true by Default

In version 1.3 of the Java Plug-in, the trustProxy property is set to true by default. In previous releases of the Java platform, trustProxy was false by default.

Reason for the change:
To prevent DNS spoofing, a security check in Java Plug-in requires the server-side host name to be resolved into an IP address before any connection is made from the applet. As part of this security check, the client-side intranet DNS server must be able to resolve external host names from the Internet. However, the DNS servers within many enterprise networks are not able to perform this resolution due to firewall or other security restrictions on the enterprise site. The trustProxy property has been set to true by default so that in such cases the Java Plug-in will defer the DNS name resolution to the client site's proxy server.

Security implication of the change:
Because the DNS lookup can be delegated to the proxy server when the trustProxy property is true, care should be taken that the proxy server will not expose the local site to DNS spoofing attacks. The proxy server should consistently map a given host name to the same IP address and should never map an Internet server host name to the IP address of a machine on the local, client-side intranet. If the proxy server cannot be trusted to always provide unique host-name/IP-address mappings or cannot distinguish between internal and external IP addresses, network administrators may want to set the trustProxy property equal to false. This can be done by entering -DtrustProxy=false in the Java Run Time Parameters field of the Java Plug-in Control Panel. When trustProxy is false, DNS lookup will be up to the client-side intranet DNS server and will not be delegated to the proxy server. This will mean, however, that applets will not be able to be downloaded over the Internet whenever the intranet DNS server cannot resolve the applet server's host name.

New Classes/Interfaces

Modified Classes/Interfaces

Miscellaneous Information


Copyright © 1999 Sun Microsystems, Inc. All Rights Reserved.

Please send comments to: java-security@sun.com. This is not a subscription list.
Sun
Java Software